[Samba] Share permission problem if user is member in more than 16 groups on AD

Mārcis Lielturks marcis.lielturks at gmail.com
Wed Jul 14 15:26:05 MDT 2010

Thanks, machine wont provide NFS or ssh login services, so fiddling with max
groups should do no harm!

I googled a bit at found that samba should be recompiled to take advantage
of new NGROUPS_MAX. "./configure" logs also suggested that NGROUPS_MAX is
evaluated only at compile time.

Can anybody share experience on compiling samba on OpenSolaris? What's the
most painless way? I'm considering to use latest 3.5.5 but maybe I should
use same version Sun (Oracle) is using - 3.0.37? I have to set up Samba on 2
servers, which already replicate storage, so ID mapping must be consistent
between both Samba servers. Servers have to provide shares also to trusted
domains, but 3.0.37 doesn't have idmap_hash and seems that idmap_rid is not
supported to provide mappings for more than one domain, so anything newer
than 3.0.37 sounds like the right choice.

On 14 July 2010 19:46, Gaiseric Vandal <gaiseric.vandal at gmail.com> wrote:

> Here is the catch  (at least for some people.)
> This can break NFS stuff.    On my PDC I made a similar change.     Home
> directories are not on the PDC.  This fixed the problem of people getting
> login failures when logging into windows if they had more than 16 groups.
>  But if a user tries to ssh into the PDC, and he is in more than 16 groups,
> his login will fail because the home directory can not be mounted.  But if
> your samba server is not functioning as an nfs client then it shouldn't be
> an issue.
> My PDC is samba 3.4.x.  The BDC's are 3.0.x.   Samba 3.0.x domain
> controllers didn't check  if your Windows groups exceeded the system group
> max.    You could login-  you might not have all the access to directories
> you thought you should  since your effective group list was still getting
> truncated.
> With Samba 3.4.x, samba checks to see how may groups you are in, and if the
> exceeds the ngroups_max it aborts your login.   I don't know why.  It isn't
> like it is fixing a security hole.  It just gets people mad at me.
> On 07/14/2010 07:39 AM, Marcis Lielturks wrote:
>> Hi!
>> Running OpenSolaris snv_134 with Samba 3.0.37. Samba is successfully
>> joined to AD domain. AD user "user1" is member in 17 AD groups including
>> "group1", but he cannot access Samba share which have read permissions for
>> "group1". If user account is modified and "group1" becomes users primary
>> group, then he can access shares. If user is member of only 16 groups, then
>> permissions work as expected regardless of users primary group.
>> Operating systems "ngroups_max" is set to 1024. I tested with local user
>> and was able to add user to 1024 local groups.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba


More information about the samba mailing list